Social engineering is the art of exploiting human psychology rather than only exploiting technical weaknesses alone. An example of this could be an email disguised as sent by the CEO of your company to join an online meeting or a request from your employee’s bank to verify their info by clicking a malicious link, and so on. In other words, cybercriminals use social engineering to personalize attacks. Attacks intended to manipulate your human assets into unsafe actions, aiming to get hold of crucial data points, e.g., login information to your corporate network, to gain unlawful access.
Now you might be thinking that all you need to do to prevent social engineering is to ensure that no malicious emails ever reach your human assets. You might think the best way to do this is by using an email spam protection system that will block all malicious emails from getting to them in the first place. Great idea; however that is not possible as no spam filter will ever be able to stop all phishing attempts. For example, cybercriminals can launch a social engineering attack from a legitimate email account that has been compromised. For this exact reason, a spam protection system will not automatically filter this type of email out.
Seeing your employees as the weakest link in your cyber security defense is inaccurate. Instead, employees should be your most vital first line of defense through awareness training, becoming cyber defenders – your human firewall. So a few questions you might be thinking about are what awareness training is the proper awareness training, how often awareness training should take place, what the awareness training process will look like, etc. These are all excellent questions that I will now cover in the following chapters.
Social engineering awareness training needs to be an integral part of your comprehensive cyber security program and, therefore, critical that it is done regularly to be re-enforced continuously. If any gaps open up in your human firewall, they should immediately be addressed. So, besides the initial awareness training you take your employees through when they onboard, you should be performing regular automated militia email simulations in which your employees are tested to see if they know how to apply their training. If, however, they fall into the simulated trap, you re-train them immediately through tailored video courses followed by a questionnaire that tests their knowledge which means you have blocked the gap in your human firewall as soon as they have been identified.
Given the constantly shifting threat landscape with new phishing methods, social engineering awareness training should be conducted at least twice a month. Suppose social engineering awareness training is conducted only quarterly or annually. In that case, the cracks in your human firewall could become too large, so the cybercriminals can get through your first line of defense.
Not only should it be performed regularly to minimize gaps in your firewall, but neuroscientists have proven that repetition is vital when internalizing information and retaining knowledge, also known as spaced learning or spaced repetition learning. Spaced repetition learning is based on the way the mind works. While we can pick up facts in no time, authentic learning is best understood as a longer-term process that occurs over time through repetition. Employees need space and time to let information marinate, review and refresh their knowledge. The opportunity to apply it in a real-world situation using malicious email simulations is more likely to stick than just regular classroom awareness training.
Continuous awareness training should be an essential part of your cyber security defense strategy. However, even if critical, most people have never studied how to protect themselves from cyberattacks in school or elsewhere. On the flip side, not having a human firewall could leave your entire organization vulnerable to cyberattacks. In other words, not making it part of your standard cyber security defense strategy would make little sense and put your business at substantial risk. By combining awareness training thereby developing a strong first line of defense, your human firewall, and a technical vulnerability assessment program to ensure that your technical assets are equally up to par, you will always stay one step ahead of cybercriminals. In Holm Security, we refer to this as Next-Gen Vulnerability Management.